AccountDumpling Phishing Operation Hijacks 30,000 Facebook Accounts

The digital frontier has just witnessed a seismic shift in the sophistication of social engineering. In a meticulously documented report released on May 2, 2026, researchers at Guardio Labs have unveiled a sprawling, Vietnamese-linked cyber-offensive known as the AccountDumpling phishing operation. This campaign does not merely impersonate brands; it weaponizes the very architecture of the modern web—specifically Google’s legitimate business infrastructure—to dismantle the security of over 30,000 Facebook Business accounts globally. With a surgical focus on high-value targets, the operation has seen a staggering 68.6% of its victims located within the United States, signaling a direct assault on the American digital advertising and enterprise ecosystem.

The Trust Inversion: How AccountDumpling Exploits Google AppSheet

Traditional phishing relies on deception at the domain level—spoofing a sender address or using a look-alike URL (typosquatting). The AccountDumpling phishing operation renders these classic defenses obsolete by utilizing what security experts call a “Trust Inversion.” Instead of trying to bypass email filters from the outside, the attackers have moved inside the house. They leverage Google AppSheet, a no-code business automation tool, as a high-fidelity “phishing relay.”

By creating automated workflows within legitimate AppSheet accounts, the threat actors trigger system-generated notifications. These emails are sent directly from noreply@appsheet.com and appsheet.bounces.google.com. Because these are authentic Google domains, the messages perfectly align with the industry-standard authentication protocols: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). To a Secure Email Gateway (SEG) or a standard spam filter, these emails are indistinguishable from legitimate business alerts. They land directly in the “Primary” inbox, carrying the implicit seal of approval from Google’s own servers, forcing the victim to rely solely on their ability to detect the deceptive content within the message body.

The Anatomy of the Lure: Meta-Related Panic

The primary psychological trigger used by AccountDumpling is “Meta-related panic.” Business owners receive notifications claiming their Facebook pages are scheduled for permanent disablement due to alleged copyright violations or policy breaches. One specific lure identified in April 2026 referenced a fictitious “Case ID: 6480258166,” warning that the user had only 24 hours to appeal before their business asset was deleted. This artificial urgency is designed to bypass the victim’s critical thinking, driving them toward a series of sophisticated “attack clusters.”

Deconstructing the Four Attack Clusters

The modular nature of the AccountDumpling phishing operation is perhaps its most formidable attribute. Guardio Labs identified four distinct clusters that cater to different psychological profiles and levels of technical resistance.

Cluster A: The Netlify Clones and HTTrack Artifacts

In the first tier of the attack, the operators use HTTrack, a powerful website copier, to create pixel-perfect replicas of the Facebook Help Centre. These clones are not hosted on suspicious, freshly-registered domains but on Netlify, a reputable cloud platform for static sites. To evade broad URL blocklists, the attackers generate unique subdomains for each victim. This cluster focuses on harvesting primary credentials—passwords and emails—but it goes a step further by requesting photos of government-issued IDs. This data isn’t just for account access; it provides the attackers with the documentation necessary to bypass Facebook’s manual identity verification should the victim attempt to recover the account later.

Cluster B: Zero-Font Tactics and Homograph Evasion

This cluster targets those seeking the prestige of a “Blue Badge” verification or exclusive advertiser rewards. Technically, it is a masterclass in filter evasion, employing “zero-font” tactics and Cyrillic homoglyphs.

• Zero-Font Obfuscation: Attackers insert invisible Unicode “hair spaces” (U+200A) between the letters of “Facebook” or “Security.” While the human eye sees a normal word, automated Natural Language Processing (NLP) engines see a jumble of characters that don’t trigger “phishing” keywords.
• Cyrillic Homoglyphs: By replacing the Latin “a” with the Cyrillic “а” (U+0430), the attackers create URLs and text that look identical to the real thing but lead to entirely different server destinations.

These methods ensure that even if a security tool scans the content of the legitimate Google-sent email, it fails to recognize the malicious intent.

Cluster C: Live Control via Socket.io and WebSockets

The third cluster represents the “scariest” and most advanced evolution of the campaign. Here, the attackers host malicious PDFs on Google Drive, often designed using Canva to maintain a professional aesthetic. These PDFs contain links to a “Live Control” panel.

Unlike static phishing pages, this cluster utilizes Socket.io and WebSockets to maintain a persistent, bidirectional connection between the victim’s browser and the attacker’s operator panel. When a victim enters their 2FA code, it doesn’t just sit in a database; it is streamed in real-time to an active human operator. The operator can then instantly push a “Code Invalid” or “Verify Again” prompt back to the victim if the initial 2FA attempt fails or if they need a second code for a password change. This Adversary-in-the-Middle (AiTM) approach makes traditional SMS or App-based 2FA almost entirely ineffective.

Cluster D: The Recruitment Trap

The final cluster moves away from infrastructure abuse and into pure social engineering. Attackers impersonate corporate recruiters from global brands like Adobe, Apple, and Coca-Cola. High-value targets are approached with lucrative job offers or collaboration opportunities. The goal is to move the conversation away from monitored professional platforms into private WhatsApp chats. Once trust is established in this intimate channel, the attacker delivers a “test” file or a “portfolio link” that leads back to the credential-harvesting infrastructure of the previous clusters.

Supply Chain and Attribution: The “Phạm Tài Tân” Connection

The AccountDumpling phishing operation is not merely a collection of hacks; it is a professionalized, industrial-scale business. Guardio Labs traced the command-and-control (C2) infrastructure to specific Telegram bots, such as @haixuancau_bot and @globalglobalglobalbot_bot, which are managed by aliases like “Big Bosss” and “@mansinblack.”

A critical operational security (OPSEC) failure provided the “smoking gun” for attribution. Metadata within the Canva-generated PDFs used in Cluster C contained the name “PHẠM TÀI TÂN” (Phạm Tài Tân). Researchers successfully linked this name to a legitimate-looking business persona in Vietnam that offers “digital marketing” and—ironically—”Facebook account recovery services.” This reveals a cynical, circular criminal economy:

1. The group steals a high-value Facebook Business account.
2. They use the account to run fraudulent ads or extort the owner.
3. They then attempt to “sell” a recovery service back to the original victim, effectively charging a ransom to return the asset they stole.

This professionalization of the cybercrime supply chain allows the “specialists” who code the AppSheet relays to sell access to “monetizers” who specialize in account exploitation.

Why the United States is the Epicenter

The heavy concentration of victims in the United States (68.6%) is no accident. Facebook Business accounts in the U.S. typically have higher credit limits for advertising and are connected to established payment methods. A single compromised U.S. business account can be used to run thousands of dollars in “ad-credit” fraud, promoting everything from “weight loss” scams to malware-laden software downloads. Furthermore, the U.S. business culture’s heavy reliance on Google Workspace and AppSheet makes them the perfect demographic for an exploit that abuses those very tools.

Protective Measures for the New Threat Landscape

The AccountDumpling phishing operation proves that “checking the sender address” is no longer a viable security strategy. To defend against such sophisticated infrastructure abuse, organizations must shift their paradigm:

• Implement FIDO2 Hardware Keys: Because Cluster C uses real-time WebSockets to intercept codes, traditional 2FA (SMS or TOTP) is vulnerable. FIDO2-compliant hardware keys (like YubiKeys) are the only effective defense against AiTM attacks, as they require physical presence and are cryptographically bound to the legitimate domain.
• Heuristic Contextual Analysis: Security teams should configure their email gateways to flag any appsheet.com emails that contain keywords like “Meta,” “Facebook,” “Copyright,” or “Blue Badge.” There is virtually no legitimate reason for Google AppSheet to be sending official Meta support notifications.
• Employee Training on “Service Notifications”: Staff must be taught that even if an email is “verified” by their inbox provider (Google/Outlook), the content can still be malicious. The “noreply” address should never be treated as a guarantee of safety.
• Monitor for Outbound WebSockets: On a network level, monitoring for unusual WebSocket traffic to unknown Netlify or Vercel subdomains can help identify a live phishing session in progress.

Conclusion: The Professionalization of Deception

The AccountDumpling phishing operation represents a milestone in the evolution of cybercrime. By weaponizing Google AppSheet, the attackers have turned the internet’s trust protocols against the users they were meant to protect. This campaign highlights a future where technical sophistication and psychological manipulation are inextricably linked, and where the “circular economy” of theft and recovery provides a self-sustaining financial engine for threat actors. As we move further into 2026, the burden of defense shifts from automated filters to a combination of hardware-rooted security and a radical, healthy skepticism of even the most “legitimate” digital notifications.